Set up the DMZ on a third NIC (to keep the DMZ packets separate from those on
your regular network). Define the NIC (in this example eth2) with a different
subnet than your regular network. If you are using the Buffalo wireless router
on this subnet, it comes preconfigured with a 192.168.11.x address so that
subnet is a good choice (assuming the regular network is 192.168.1.x).

To set up the NIC, you can look in /etc/sysconfig/network-scripts/ifcfg-ethx,
/etc/sysconfig/networking/devices/ifcfg-ethx and
/etc/sysconfig/networking/profiles/default/ifcfg-ethx (where "x" is your
network adapter's number) for the NIC setup. Note that you must not use
uppercase letters in the hexadecimal MAC address set by the HWADDR parameter.
If you do, the brain dead code in /sbin/ifup and /sbin/ifdown will not work
properly. Here's a sample for the DMZ NIC.

Using this setup, machines from within the DMZ will be able to access machines
on the internal network. If you'd rather not allow this to happen, you need to
configure a custom NARC rule that prevents bridging between the DMZ subnet and
the internal subnet.

/etc/narc/narc-custom.conf:

Adding the following lines, to this file, will prevent any packets originated
in the DMZ from being bridged to the internal network:

#
# Rule to prevent packets from traversing from the DMZ subnet to the internal
# subnet to keep viruses and other nasty stuff from getting at the good
# stuff. The other direction is OK, presumably.
#
# Note that all attempts to bridge from the DMZ to the internal subnet are
# logged with a prefix of BRIDGE.
#
$IPTABLES -N BRIDGE_REJECT
$IPTABLES -A BRIDGE_REJECT -j LOG --log-level $NORM_LOG_LEVEL \
--log-prefix \"BRIDGE \" --log-ip-options --log-tcp-options
$IPTABLES -A BRIDGE_REJECT -j REJECT
# Hook the rule in to the forward chain.
$IPTABLES -I FORWARD -i $DMZ_INTERFACE -o $LAN_INTERFACE -j BRIDGE_REJECT